Hello gang!
I just joined the mailing list. I have been a long time KeePass user,
but have been looking into pass more recently.
I had an old Issue on KeepassXC GitHub[0] requesting some enhancement,
which the devs did not want to do. Which is fine. I had actually
forgotten all about it, until someone else had bumped it a little more
recently.
I then mention in passing (yesterday) that I have been considering
pass[1], as it is essentially free-form text files with no limits on
what you can put in them, in case anyone else following the issue
wants to expand their options, as I have been thinking about doing.
Pretty quickly thereafter, both of main devs reply[2] with some
criticisms of PGP, gpg-agent, and some other concept (KDF?) which I am
not actually even familiar with. The following are their comments,
which I quote in full:
droidmonkey
Pass offers the barest minimal protections. I would never endorse
the product because it is very easy to expose all of your secrets to
any program by using gpg-agent to remember your credentials. There
is also no concept of a KDF so brute forcing is an option, in fact
their encryption method is undocumented or at least not readily
apparent from their website.
phoerious
It's PGP, the worst possible way to encrypt stuff in 2020.
Now, I know enough about crypto to know that it is the sort of thing
best left in the hands of people that know more about it than me.
OTOH, I did not think their criticisms of PGP/GPG were really on the
mark (unless they are referring to implementation details, which I
understand are of course important to get right). But there again, I
am but a low level wizard myself, so I thought it best perhaps to pose
this criticism to the mailing list, instead.
Cheers,
TRS-80
[0] https://github.com/keepassxreboot/keepassxc/issues/4696
[1]
https://github.com/keepassxreboot/keepassxc/issues/4696#issuecomment-716687928
[2]
https://github.com/keepassxreboot/keepassxc/issues/4696#issuecomment-716729476
